Edit authorization rules

Users gain access to a storage system or component either directly through a role assignment, or indirectly through membership in a user group that has a role assignment, or both.

Prerequisites

  • To perform this operation, you must be the Initial Setup User (set during installation), or a SecurityAdmin on all authorized storage systems.

About this task

See Roles and associated permissions for an overview of the Role-Based Access Control (RBAC) functionality.

To modify authorization rules:

Steps

  1. Select Settings icon to open the Settings panel.
  2. Select Users and Groups > Authorized Users & Groups.
  3. Select a storage system ID from the list.
  4. Select a role and click Modify.
  5. On the Roles tab, add or remove from any of the available objects, being sure to not exceed the four roles/object limit.
  6. If you choose a Local Replication, Remote Replication, or Device Management role, click Select Storage Group(s) and in the edit dialog that opens choose between:
    1. Wildcard—A wildcard syntax used with the storage group component name to allow a single rule to apply to multiple storage groups.
      A simple wildcard syntax can be used with the component name to allow a single rule to apply to multiple SGs as follows:
      abc Exactly these characters
      ? Any single character
      * Any zero or more characters
      + Zero or more additional occurrences of the previous match
      [a-z0-9] Any of these characters
      [!a-z] Anything but one of these characters

      All SG name comparisons are case-insensitive. The following examples show how they are interpreted:

      Table 1. Wildcard syntax examples
      This pattern Matches these Storage Groups Does not match these Storage Groups
      tg_* tg_DB_SG1 or tg_newSG or TG_sg_db tgNewSG
      prod_sg? prod_sg1 or prod_sga por Prod_sg2 prod_sg12 or prod_sgab
      prod_sg[0-9]+ prod_sg1 or prod_sg12 prod_sga or prod_sgab

      The only allowed characters are: a-zA-Z0-9_- along with the above *+?[]! wildcard characters.

      The only roles that can be assigned against storage groups are: Local Replication, Remote Replication, and Device Management.

      Storage groups do not have to exist at the time that a matching Role-Based Authentication Controls (RBAC) rule for them is defined.

      These storage groups-level RBAC rules are only applicable to parent and stand-alone SGs and not child SGs. Child SGs are protected by the RBAC rules, if any, on their parent SG.

    2. Storage Group
    3. Once your input or selection is complete, click Save.
  7. Click OK.